I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server. It is monitoring all things except the one below on multiple targets fine.
On a certain target, I am trying to monitor my /var/log/auth.log file for bad activity, such as failed password attempts, or attempts to login as invalid users, etc.
I am trying to do this via the check_log plugin via nrpe, but, I get a "Log check error: Log file /var/log/auth.log is not readable!" when the server checks on it.
The easiest way I have to reproduce the error is the following manually executed command from the host server:
/usr/local/nagios/libexec/check_nrpe -H target -c check_badpw
I know that it means that the file cannot be opened during the check, but, I don't understand why.
ls -l of /var/log/auth.log:
-rw-r----- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log
In /etc/groups, I have added the "nagios" user to the adm group, so it should work.
Further, if I am logged in as root on the target, and do "su nagios", I can read /var/log/auth.log
Further, if I "chmod o+r /var/log/auth.log", the command executes properly.
Additionally, when I am logged into the target as root, and su to nagios and execute the command as defined in nrpe.cfg:
/usr/local/nagios/libexec/check_log -F /var/log/auth.log -O /usr/local/nagios/auth.badpasswords.log -q ": Failed password for"
it works fine.
So, I know it will work if I loosen the permissions on /var/log/auth.log, but, I'd prefer to keep them as tight as possible.
How can I determine why the check_nrpe command does not allow for reading of the /var/log/auth.log file on the target machine?